[lxgr]

What is actually happening here?

I can think of at least three different ways of performing that kind of authentication (SMS-OTP, leveraging the operator’s metadata about via a HTTP proxy, or actually using the SIM via e.g. EAP-AKA).

Arguably, only the last one would be "using a SIM card", as the title suggests, and neither of them are appealing to me as a user:

Why would I tie authentication to a mobile operator (which aren‘t usually known for stellar security practices) when all new iOS and Android phones support FIDO, both internally and with external authenticators?